Applied Computing

Key Legislation

Key legislation

There are several key laws that relate to the information systems and telecommunications industries. These laws govern the collection and use of private information by both government and non-government organisations at both state and federal levels. Employers and government agencies have a legal responsibility to ensure that these laws are implemented within their organisations. Organisations must make employees and customers aware of their rights, as well as their responsibilities, in relation to these laws.

Privacy Act 1988

The Privacy Act includes the following:

• 13 Australian Privacy Principles (APPs) that apply to the handling of personal information by most Australian and Norfolk Island Government agencies and some private sector organisations

• credit reporting provisions that apply to the handling of credit-related personal information that credit providers are permitted to disclose to credit reporting bodies for inclusion on individuals’ credit reports

• the collection, storage, use, disclosure, security and disposal of individuals’ tax file numbers

• the handling of health information for health and medical research purposes in certain circumstances, where researchers are unable to seek individuals’ consent

• the Information Commissioner to approve and register enforceable APPs codes that have been developed

• provision for a small business operator, who would otherwise not be subject to the APPs, to opt-in to being covered by the APPs.

For an individual, the Privacy Act gives people more control over the way their personal information is handled. The Privacy Act allows individuals to:

• have the option of not being identified, or the use of a pseudonym in certain circumstances (APP 2)

• know why personal information is being collected, how it will be used and who it will be disclosed to (APP3)

• discontinue receiving unwanted direct marketing (APP 7)

• ask for access to personal information (including health information) (APP 12)

• ask for personal information that is incorrect to be corrected (APP 13)

• make a complaint about an entity covered by the Privacy Act, if personal information has been mishandled.

The APPs oversee the handling of personal information by:

• Australian and Norfolk Island Government agencies

• all private health service providers

• businesses that have an annual turnover of $3 million or those that trade personal information.

Privacy and Data Protection Act 2014

The 10 Information Privacy Principles (IPPs) are shown. The IPPs that relate to the control of storage and communication of data and information are:

IPP 4: Information must be protected from misuse, loss, unauthorised access, modification or disclosure. Reasonable steps must be taken to destroy or de-identify personal information that is no longer needed.

IPP 5: The organisation needs to be transparent about what it does with information.

IPP 7: Organisations can use unique identifiers (often these are numbers) only when able to show that the unique identifier is essential to the efficient performance of functions.

IPP 9: If your personal information travels outside Victoria, your privacy protections must travel with it.

The Victorian Health Records Act 2001

The 11 Health Privacy Principles are summarised beside.

The Act protects the confidentiality of patients’ healthcare information by allowing the information to be used only for the primary purpose for which it was gathered. This means that information about medical test results and your medical history may be used by your doctor, the hospital and any other health professionals only for the purpose of your immediate or ongoing care. Without your consent, this information would not be disclosed to a third party (for example, your medical insurance company or another hospital) for a ‘secondary’ purpose. Health information may, however, be provided to third parties without your consent under certain, and strictly limited, circumstances that include requests by family members in an emergency when you cannot give your consent and your life is threatened; where there is a serious threat to public health and welfare; research in the public interest; investigation of unlawful activity; and as part of a legal claim.

An individual who believes that the Health Records Act has been breached can make a complaint to the Health Services Commissioner, who will try to achieve a resolution by discussion between the parties. If a satisfactory resolution cannot be reached, the Commissioner may then serve a compliance notice on the organisation that has breached the Act to inform the organisation which area of the Act has been breached and that it must correct its procedures. The maximum penalty for an organisation is currently 3000 penalty units and 600 penalty units for non-corporate cases.

Research Task

Jordan is a medical student working as a receptionist at a local doctor’s surgery during his mid- term vacation. His job is to greet patients as they arrive at the surgery, retrieve their medical records and alert the doctor of their arrival. At the end of their consultation he collects the fee and makes another appointment if required.

The surgery database has detailed medical records on its 215 patients. Each record is stored under the patient’s name and address. Jordan has downloaded a copy of the surgery’s patient database onto his laptop as he wants to be able to refer to real-life examples when he is completing a group assignment for his university studies. He intends to share the medical records with the two other students in his group. Jordan’s next rotation is at a hospital in regional Victoria and he intends to take his laptop with him.

1 Refer back to the table above. List the IPPs that are relevant to this case study, with a comment on how each is relevant.

2 Has Jordan breached any other Act? If yes, which one has he breached, and how?

Page updated

Report abuse